Certain users, like the approver on a request, are not able to download the attachment from the activity stream of the approval form (or any other record) in the Service Portal.
The issue may occur due to the approver not having enough roles to grant read access on the [sys_attachment] table.
This is a customization to alter OOB system behavior. Customization and implementation assistance are out of the scope of support and the customized scripts, if any, will be skipped during an upgrade.
As a workaround to this, a read ACL can be created on the [sys_attachment] table that would allow users to access the sys_attachment record, subsequently letting the affected user download the record.
- Go to sys_security_acl.list (System security > Access control)
- Create a new READ type ACL on [sys_attachment] (sys_attachment.none), allowing users to provide read access to sys_attachment records.
The above workaround grants access to the sys_attachment table. Make sure to have thorough testing done to ensure it does not interfere with any other business logic.